Protecting Commuter Rail From New Security Threats

We have denied state-backed companies from the Middle East from buying our ports, including in Newark, N.J. We have taken actions against companies from China and Russia that are run by former members of their military, as they tried to embed themselves in our domestic telecoms and software security industries. Yet we have been severely lacking in our efforts thus far to secure our commuter rail systems, which are equally important to our critical infrastructure.

You can’t underestimate the importance of commuter rail to the United States. On any given day, more than 15 million Americans ride a passenger rail vehicle on their way to work, traveling between cities or for pleasure. It’s the lifeblood of many major cities, which are out-sized engines to our country’s growth — benefiting workers, businesses and the economy.

The United States has begun upgrading old commuter rail systems and trains with next generation technology, which is both smarter and more connected. While this will surely increase efficiency and safety of commuter rail, it also presents new potential challenges in protecting the integrity of the system from the threats of the digital age — intentional disruption of day-to-day operations, spying and/or deliberate acts of terrorism.

Given this, you would think that commuter rail would get the same attention and treatment as our port, telecom and technology infrastructure — with smart investments, a watchful eye on suppliers and a strong consideration of security. This is not the case, and it should be worrying for everyone.

In the last few years, four of America’s largest cities — Boston, Chicago, Los Angeles and Philadelphia — procured new trains for their commuter rail systems. And all of them awarded a Chinese state-owned company with an opaque ownership structure to supply the rail cars. The company, CRRC, has never delivered on a project of this scale in the United States but underbid the nearest competitor by 25 percent to 50 percent — which is easy to do if you have the financial backing of the Chinese government and a desire to embed your products, which have a lifecycle of 30 to 40 years, into the U.S. rail system.

This should give everybody pause. It’s understandable that transit authorities are focused on financial costs with taxpayer dollars at stake and budgets tight.

However, little to no scrutiny was given to the security risks in choosing a supplier that is owned by the government of a nation that has a well-known history of hacking and digital spying / espionage against Western targets, has been steadily investing in critical infrastructure in other countries to increase its geopolitical leverage, and is increasingly flexing its muscles and asserting itself against the United States.

By producing our smart and more connected rail cars, this allows CRRC and its government backers intimate knowledge of all the ins, outs and backdoors of not just the trains but also the entire commuter rail system. We would also be dependent on them to support this infrastructure during the entire lifecycle. The potential national security costs could be huge if their state backers decide to go rogue.

This is not a far-fetched scenario. Christopher Wray, director of the FBI, recently commented, “I think China … in many ways represents the broadest, most challenging, most significant threat we face as a country. … Theirs is a long-term game that’s focused on just about every industry, every quarter of society in many ways.”

No wonder certain members of Congress, citing the potential threats from China and its moves to establish its position in the U.S. rail industry, are putting forward legislation to thwart certain countries from investing and being important players in our critical infrastructure.

For example, as states consider future rail projects, it would be wise for the decision-makers in the state to give this issue the serious consideration it deserves. Our commuter rail system is vital to our people, businesses and economy — and we need to take all precautions to ensure it is secure, especially as it enters the digital age, like we do for other key areas of our critical infrastructure.

Picking a supplier that does not present the possibility of ulterior motives is an obvious and important start.